Disallow top-level navigation to data:// URLs

This is recommended to prevent phishing attacks, see https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/ WebKitGTK has introduced a WebKitSettings.allow-top-navigation-to-data-urls property which can be used for this when set to FALSE. While trunk already uses that default, in WebKitGTK 2.28 this defaults to TRUE and needs to be explicitly set.

Disallow top-level navigation to data:// URLs
This is recommended to prevent phishing attacks, see https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-59/ WebKitGTK has introduced a WebKitSettings.allow-top-navigation-to-data-urls property which can be used for this when set to FALSE. While trunk already uses that default, in WebKitGTK 2.28 this defaults to TRUE and needs to be explicitly set.
cba76bc1 · Adrian Perez de Castro · 4544ae7c · cba76bc1
Unverified Commit cba76bc1 authored 5 years ago by Adrian Perez de Castro
--- a/embed/ephy-embed-prefs.c
+++ b/embed/ephy-embed-prefs.c
@@ -501,6 +501,9 @@ ephy_embed_prefs_init (gpointer user_data)
                                                       "enable-webaudio", TRUE, /* FIXME: https://bugs.webkit.org/show_bug.cgi?id=205334 */
                                                       "enable-webgl", TRUE, /* FIXME: https://bugs.webkit.org/show_bug.cgi?id=205335 */
                                                       "javascript-can-open-windows-automatically", TRUE,
+#if WEBKIT_CHECK_VERSION (2, 27, 90) && !WEBKIT_CHECK_VERSION (2, 30, 0)
+                                                       "allow-top-navigation-to-data-urls", FALSE,
+#endif
                                                       NULL);

  for (i = 0; i < G_N_ELEMENTS (webkit_pref_entries); i++) {